Ali Yazdani

Principal Product Security Engineer

Avatar placeholder
Berlin, Germany

Experience

Jul 2024 - Dec 2024
6 months

Principal Product Security Engineer

Payrails GmbH

  • Defined and executed a comprehensive security roadmap: integrated Shift-Left Security, CNAPP, and DevSecOps principles to streamline secure product development and reduce risk exposure.
  • Established a robust threat modeling framework: embedded security into design processes, enabling early identification of vulnerabilities and reducing potential risks.
  • Developed a scalable Vulnerability Management program: accelerated detection and remediation of new vulnerabilities, significantly shortening the risk response cycle.
  • Enhanced cloud and container security: leveraged advanced tools such as Tetragon to achieve deeper visibility and implement a defense-in-depth strategy.
  • Automated security controls within CI/CD pipelines: integrated security measures into the development lifecycle to maintain continuous delivery with robust safeguards.
  • Championed cross-functional collaboration: partnered with developers and infrastructure teams to prioritize threats and align remediation efforts, fostering a unified security culture.
  • Ensured regulatory compliance and audit readiness: collaborated closely with the InfoSec team to adhere to internal policies and successfully support audits for standards like PCI-DSS and SOC2.
Aug 2022 - Jun 2024
1 year 11 months

Principal Security Engineer

ScoutBee GmbH

  • Embedded secure development practices: collaborated with development teams to implement secure coding best practices and establish robust CI/CD guardrails, ensuring alignment with evolving security objectives.
  • Enhanced cloud security posture: worked with infrastructure and SRE teams to identify vulnerabilities and misconfigurations; introduced infrastructure as code scanning, Cloud-Native Application Protection Platforms (CNAPP), and policy as code, significantly improving cloud security and operational visibility.
  • Advanced threat mitigation training: conducted threat modeling and secure coding workshops, empowering teams to proactively identify and mitigate risks during design and development, thereby reinforcing a shift-left security mindset.
  • Integrated comprehensive security controls: led the incorporation of static application security testing (SAST), software composition analysis (SCA), IaC security scanning, policy as code (PaC), and dynamic application security testing (DAST) into CI/CD pipelines across four key projects, reducing remediation costs and turnaround times.
  • Implemented IAM/PAM and Zero Trust: designed and deployed an identity and access management (IAM) and privileged access management (PAM) solution to enforce least privilege access across infrastructure. Integrated Zero Trust architecture by implementing Just-in-Time (JIT) access, role-based access control (RBAC), multi-factor authentication (MFA), and continuous access monitoring to secure infrastructure access.
  • Reduced design vulnerabilities: facilitated targeted threat modeling exercises that decreased potential software vulnerabilities before development.
  • Optimized vulnerability management: directed penetration testing and vulnerability management programs in collaboration with development and operations teams, achieving improved time-to-resolution and enhancing overall product security.
  • Promoted a DevSecOps culture: championed shift-left strategies throughout the software development life cycle (SDLC), fostering early detection and remediation of threats and reducing security risks.
  • Ensured regulatory compliance: conducted comprehensive security assessments and audits for applications and infrastructure, maintaining strict adherence to standards such as ISO 27001, TISAX, SOC 2, and GDPR.
Feb 2022 - Jul 2022
6 months

Staff Security Engineer

NewStrore GmbH

  • Developed and implemented comprehensive application and API security strategies, incorporating secure coding practices along with robust authentication and authorization mechanisms.
  • Designed and deployed tailored security controls across cloud infrastructures, reinforcing the security posture for both AWS environments and Kubernetes deployments.
  • Directed extensive penetration testing and vulnerability management initiatives to proactively identify and remediate security gaps across applications, APIs, and supporting infrastructure.
  • Conducted thorough security assessments and audits to ensure continuous compliance with industry standards and regulatory requirements, including ISO 27001, SOC 2, and GDPR.
Sep 2021 - Feb 2022
6 months

Engineering Lead DevSecOps

Henkel AG

  • Integrated advanced DevSecOps technologies into CI/CD pipelines to strengthen application and infrastructure security, ensuring new services consistently adhere to security best practices.
  • Spearheaded comprehensive threat modeling sessions to proactively uncover security vulnerabilities in software designs, and developed effective countermeasures to mitigate risks.
  • Championed a shift-left strategy by collaborating with DevOps teams to embed security controls throughout the SDLC, fostering a culture of continuous improvement and heightened security awareness.
Jul 2019 - Aug 2021
2 years 2 months

Senior Security Engineer

Raisin GmbH

  • Conducted regular vulnerability assessments and penetration tests to uncover and remediate security weaknesses across applications, APIs, and infrastructure.
  • Designed and evaluated cloud and hybrid infrastructure solutions on Azure IaaS and PaaS, ensuring robust data protection and service continuity.
  • Applied threat modeling techniques to assess software designs and infrastructure, identifying potential security issues and implementing effective countermeasures.
  • Executed comprehensive security testing and code reviews within the SDLC, integrating SAST, SCA, and DAST tools into CI/CD pipelines to support a shift-left security strategy.
  • Collaborated closely with development, operations, and security teams to embed security practices into DevOps workflows, promoting a culture of continuous improvement and heightened security awareness.
Dec 2016 - Present
9 years 1 month

Open-Source Security Contributions

OWASP Foundation

  • Project Leader: OWASP DevSecOps Guideline – led the development and maintenance of a comprehensive guide for integrating security into DevOps practices, influencing the global security community.
  • Contributor: OWASP Mobile Security Testing Guide (MSTG) – contributed to the creation and refinement of a widely recognized framework for mobile application security testing.
Nov 2015 - Apr 2019
3 years 6 months

Red Team Tech Lead

MTN Irancell

  • Led vulnerability assessments and penetration testing initiatives to uncover and address security gaps across networks, applications, and systems.
  • Reviewed service architectures and conducted thorough threat modeling for critical services, designing effective countermeasures to protect data and services.
  • Developed and enforced comprehensive IT infrastructure security checklists for both new and existing systems to ensure adherence to regulatory and industry standards.
  • Engineered security tools and automation scripts that streamlined security processes and enhanced operational efficiency.
  • Contributed to the formulation and implementation of security policies, procedures, and standards aligned with industry best practices, thereby strengthening the organization's overall security posture.
Mar 2010 - Dec 2018
8 years 10 months

Penetration Tester

Freelancer

  • Conducted thorough web application penetration tests using tools such as Burp Suite, OWASP ZAP, and Nmap to identify vulnerabilities including XSS, SQL injection, and insecure authentication.
  • Executed extensive mobile application testing for iOS and Android platforms with MobSF, APK Analyzer, and Frida, uncovering issues like insecure data storage, flawed authentication, and weak encryption.
  • Compiled comprehensive vulnerability reports with detailed risk assessments and clear remediation recommendations, and effectively communicated findings to both technical and management teams.

Summary

Accomplished Security Engineer with 10+ years across Telco, FinTech, Retail, and SaaS. I integrate robust security practices into software development through DevSecOps, threat modeling, penetration testing, and vulnerability management—bridging the gap between technical and business teams. As leader of the OWASP DevSecOps Guideline project and a regular industry speaker, I drive secure, cost-effective innovation and champion a culture of proactive application security.

Languages

Persian
Native
English
Advanced

Education

Oct 2011 - Jun 2013

jdeihe.ac.ir

Bachelor · Computer Software Engineering · Iran, Islamic Republic of

Oct 2006 - Jun 2009

jdeihe.ac.ir

Associate · Computer Software Engineering · Iran, Islamic Republic of

Need a freelancer? Find your match in seconds.
Try FRATCH GPT
More actions

Similar Freelancers

Discover other experts with similar qualifications and experience

Maryam Mouzarani
Maryam Mouzarani

AI Red Team Engineer

View Profile
Pierre Gronau
Pierre Gronau

Ansible Automation, Windows Third Level Support

View Profile
Alexander Nagy
Alexander Nagy

Security Expert

View Profile
Valeri Milke
Valeri Milke

Associate Partner - Information Security Consulting

View Profile
Nils Klawitter
Nils Klawitter

Vulnerability Management and Secure SDLC

View Profile
Sascha Leitner
Sascha Leitner

CEO

View Profile
Seyed farhad Miri
Seyed farhad Miri

Senior Product Security Engineer

View Profile
Stanislav Stolberg
Stanislav Stolberg

Interim CTO / IT Consultant (Cloud & App Security · AI & Web3)

View Profile
Siegfried-thor Bolz
Siegfried-thor Bolz

AI Solutions Architect & Developer

View Profile
Lothar Hinsche
Lothar Hinsche

Solution Manager for PoC investigation and replacement and refinement of an existing cloud and IoT power plant control system

View Profile
Syed ghazanfar Abbas
Syed ghazanfar Abbas

Information Security Consultant

View Profile
Henryk Orantek
Henryk Orantek

Security Consultant

View Profile
Kazim Rizvi
Kazim Rizvi

Principal Security Architect - Contract Hands on

View Profile
Patrick Eichler
Patrick Eichler

Kubernetes Expert | Google Cloud Platform Engineer

View Profile
Chitrung Nguyen
Chitrung Nguyen

Staff Software Engineer - Infrastructure

View Profile
Alagi Mansaray
Alagi Mansaray

Senior Project Manager S4HANA in the energy sector

View Profile
Rick Grassmann
Rick Grassmann

Interim IT Security Analyst

View Profile
Michael König
Michael König

Architect and Full-Stack Developer

View Profile
Stanislaus Stelle
Stanislaus Stelle

Security Consultant at Rohde & Schwarz AG

View Profile
Patrick Beck
Patrick Beck

AML Officer

View Profile
Martin Wilhelmi
Martin Wilhelmi

Security Auditor

View Profile
Manuel Reinfurt
Manuel Reinfurt

Cloud Architect & Lead Developer

View Profile
Benedek Galácz
Benedek Galácz

CTO/CISO

View Profile
Niels Aerts
Niels Aerts

Azure Architect

View Profile
Daniel Jüntgen
Daniel Jüntgen

Information Security Consultant

View Profile
Mahesh Simha
Mahesh Simha

Azure Solution Architect

View Profile
Bernhard Bowitz
Bernhard Bowitz

Senior Security Architect

View Profile
Kai Held
Kai Held

Backend Python Engineer

View Profile
Kevin Engelhardt
Kevin Engelhardt

CISO as a Service

View Profile
Tezcan Dilshener
Tezcan Dilshener

Solution Architect / Project Manager

View Profile